ClawHub

Dataify Google Play Store Reviews By Url

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to build Dataify scraper requests, but it handles API tokens in ways that can expose them unnecessarily.

Install only if you are comfortable using Dataify with an API token. Prefer a temporary environment variable or a credential manager over writing the token into shell startup files, and avoid sharing terminal output because the helper may print the live bearer token. Review the generated curl before running it and do not submit sensitive app data unless Dataify is an approved destination for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to persistently store `DATAIFY_API_TOKEN` in shell profile files and user environment variables without any warning about the security implications of long-lived credential storage. This increases the chance of token exposure through local compromise, shared accounts, backups, shell history mistakes, or accidental disclosure in support/debug workflows.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to persist DATAIFY_API_TOKEN in shell startup files or user environment settings, which causes the credential to remain stored long-term on disk and automatically loaded into future sessions. While common operational guidance, it omits warnings about local credential exposure, accidental inclusion in backups/dotfile sync, and risks on shared or compromised machines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation provides a curl command that sends both user-supplied data and a bearer token to a third-party endpoint, but does not clearly disclose that authenticated data is being transmitted off-host to an external service. This can mislead users about where their inputs and credentials are going, increasing privacy and credential-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads a live API token from the environment and embeds it directly into a printed, ready-to-run curl command. This can expose the bearer token in terminal scrollback, shell history, logs, CI output, screenshots, or copied text, enabling unauthorized use of the Dataify account if the output is mishandled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal